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IN THE CLAIMS 



1 . (Currently Amended) A computer-implemented method of operating a 
reference monitor simulator operable to recreate the operations performed by a 
reference monitor on a computer system, the method comprising: 

(A) defining at least one security rule specifying whether to allow 
or deny a request to access at least one resource und e r a g i ven set of 
circum s t a nc es ; 

(B) supplying at least one request to access a resource; a«4 

(C) applying the at least one security rule in response to the at 
least one request to access a resource to determine whether to allow or 
prevent the at least one requestjjang> 

providing a t least one parameter definin g a system enyironment in 

which the reference monitor executes the at least one parameter includes 
a time parameter which defines the passage of time perceived by the 
computer system, the passage of time indicated by the time parameter is 
faster than the actual passage of time. 

2. (Canceled) 

3. (Canceled) 

4. (Canceled) 

5. (Currently Amended) The method of claim 41, wherein the passage of time 
indicated by the time parameter enables the computer system to execute the 
reference monitor simulator in an accelerated manner. 

6. (Original) The method of claim 1 , further comprising: 

(D) assessing the effectiveness of the at least one security rule. 
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7. (Original) The method of claim 6, wherein assessing the effectiveness of the 
security rule further comprises determining at least one of the number of 
improper access requests prevented and the number of proper access requests 
allowed. 

8. (Original) The method of claim 6, wherein assessing the effectiveness of the 
security rule further comprises determining a rate of improper requests 
prevented. 

9. (Original) The method of claim 1 , wherein (B) further comprises an application 
program supplying the at least one request to access a resource. 

1 0. (Original) The method of claim 1 , wherein (B) further comprises capturing at 
least one request to access a resource before supplying the at least one request 
to access a resource. 

1 1 . (Original) The method of claim 10, wherein a reference monitor performs the 
capture of the at least one request to access a resource. 

12. (Original) The method of claim 1 1 , wherein the reference monitor which 
performs the capture of the at least one request to access a resource is the same 
type of reference monitor as the reference monitor whose operations are 
recreated by the reference monitor simulator. 

13. (Original) The method of claim 10, wherein the captured at least one request 
to access a resource is an improper request. 
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14. (Original) The method of claim 13, wherein an improper request comprises a 
request issued by an application in response to one of a virus and a buffer 
overrun attack. 

15. (Original) The method of claim 10, wherein the captured at least one request 
is modified prior to supplying the at least one request to access a resource. 

16. (Original) The method of claim 15, wherein the modification is performed by a 
user. 

17. (Original) The method of claim 6, wherein an electronic file system stores the 
at least one security rule, and wherein (D) further comprises the reference 
monitor simulator accessing the security rule in the electronic file system in 
response to receiving the at least one request to access a resource. 

18. (Currently Amended) The method of claim 21, wherein the at least one 
parameter provided to the reference monitor simulator further includes at least 
one of a system clock, a wrapper function, and a timer event. 

1 9. (Original) The method of claim 1 , further comprising: 

(E) maintaining statistics on the operation of the reference monitor 
simulator. 

20. (Original) The method of claim 19, wherein the statistics include at least one 
of the number of requests per resource, number of total requests, type of request 
per resource, total of each type of request, number of queries, number of 
callbacks, number of requests allowed compared to number of requests 
expected, and number of requests prevented compared to number of prevented 
requests expected. 
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21. (Currently Amended) A computer-readable medium having instructions 
recorded thereon which, when executed by a computer, cause the computer to 
perform a method of operating a reference monitor simulator operable to recreate 
the operations performed by a reference monitor on a computer system, the 

computer-readable medium method- comprising instructions for : 

(A) defining at least one security rule specifying whether to allow or 
deny a request to access at least one resource und e r a gi ve n se t of 
€4r-ew»sfan€-es; 

(B) supplying at least one request to access a resource; an4 

(C) applying the at least one security rule in response to the at least 
one request to access a resource to determine whether to allow or prevent 
the at least one request - and 

(E) providing at l east one parameter defining the system environment 

in which the reference monitor executes, the at jeast one parameter includes a 
time parameter which defines the passage of time perceived by the computer 
system, the passage of time indicated by the time parameter is faster than the 
actual passage of time. 

22. (Canceled) 

23. (Canceled) 

24. (Canceled) 

25. (Currently Amended) The computer-readable medium of claim 2421, wherein 
the passage of time indicated by the time parameter enables the computer 
system to execute the reference monitor simulator in an accelerated manner. 

26. (Original) The computer-readable medium of claim 21 , further comprising 
instructions defining: 



U.S. Application No.: 1 0/822,069 Attorney Docket No.: CIS03-23(8431 ) 

-6- 

(D) assessing the effectiveness of the at least one security rule. 

27. (Original) The computer-readable medium of claim 26, wherein assessing the 
effectiveness of the security rule comprises determining at least one of the 
number of improper access requests prevented and the number of proper access 
requests allowed. 

28. (Original) The computer-readable medium of claim 26, wherein assessing the 
effectiveness of the security rule comprises determining a rate of improper 
requests prevented. 

29. (Original) The computer-readable medium of claim 21 , wherein (B) further 
comprises an application program supplying the at least one request to access a 
resource. 

30. (Original) The computer-readable medium of claim 21 , wherein (B) further 
comprises capturing at least one request to access a resource before supplying 
the at least one request to access a resource. 

31 . (Original) The computer-readable medium of claim 30, further comprising 
instructions defining a reference monitor performing the capture of the at least 
one request to access a resource. 

32. (Original) The computer-readable medium of claim 31 , wherein the reference 
monitor which performs the capture of the at least one request to access a 
resource is the same type of reference monitor as the reference monitor whose 
operations are recreated by the reference monitor simulator. 

33. (Original) The computer-readable medium of claim 30, wherein the captured 
at least one request to access a resource is an improper request. 
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34. (Original) The computer-readable medium of claim 33, wherein an improper 
request comprises a request issued by an application in response to one of a 
virus and a buffer overrun attack. 

35. (Original) The computer-readable medium of claim 30, wherein the captured 
at least one request is modified prior to supplying the at least one request to 
access a resource. 

36. (Original) The computer-readable medium of claim 35, wherein the 
modification is performed by a user. 

37. (Original) The computer-readable medium of claim 26, further comprising 
instructions defining an electronic file system storing the at least one security 
rule, and wherein (D) further comprises the reference monitor simulator 
accessing the security rule in the electronic file system in response to receiving 
the at least one request to access a resource. 

38. (Currently Amended) The computer-readable medium of claim -2-2-2M, wherein 
the at least one parameter provided to the reference monitor simulator further 
includes at least one of a system clock, a wrapper function, and a timer event. 

39. (Original) The computer-readable medium of claim 21 , further comprising 
instructions defining: 

(E) maintaining statistics on the operation of the reference monitor 
simulator. 

40. (Original) The computer-readable medium of claim 39, wherein the statistics 
include at least one of the number of requests per resource, number of total 
requests, type of request per resource, total of each type of request, number of 
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queries, number of callbacks, number of requests allowed compared to number 
of requests expected, and number of requests prevented compared to number of 
prevented requests expected. 

41 . (Currently Amended) A system for providing a reference monitor simulator 
for simulating the operations performed by a reference monitor, the system 
comprising: 

a definer component to define at least one security rule specifying whether 
to allow or deny a request to access at least one resource und e r a gi v en 



a supplier component to supply at least one request to access a resource; 

an applier component to apply the at least one security rule in response to 
the at least one request to access a resource to determine whether to 
allow or prevent the at least one request- and 

a provider component to provide at least one parameter defining the 
system environment in which the reference monitor executes, the at least 
one parameter includes a time parameter which defines the passage of 
tjme_eeroejyedby^ 

the time parameter is faster than the actual passage of time. 

42. (Canceled) 

43. (Canceled) 

44. (Canceled) 

45. (Currently Amended) The system of claim 4441, wherein the passage of time 
indicated by the time parameter enables the system to execute the reference 
monitor simulator in an accelerated manner. 
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46. (Original) The system of claim 41 , further comprising an assessor component 
to assess the effectiveness of the at least one security rule. 

47. (Original) The system of claim 46, wherein assessing the effectiveness of the 
security rule further comprises determining at least one of the number of 
improper access requests prevented and the number of proper access requests 
allowed. 

48. (Original) The system of claim 46, wherein assessing the effectiveness of the 
security rule further comprises determining a rate of improper requests 
prevented. 

49. (Original) The system of claim 41 , further comprising an application program 
to supply the supplier component with the at least one request to access a 
resource. 

50. (Original) The system of claim 41 , further comprising a capture component to 
capture at least one request to access a resource before supplying the at least 
one request to access a resource. 

51 . (Original) The system of claim 50, wherein the capture component includes a 
second reference monitor. 

52. (Original) The system of claim 51, wherein the second reference monitor is a 
same type of reference monitor as the reference monitor whose operations are 
recreated by the reference monitor simulator. 

53. (Original) The system of claim 50, wherein the capture component captures 
at least one request to access a resource which is an improper request. 
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54. (Original) The system of claim 53, wherein an improper request comprises a 
request issued by an application in response to one of a virus and a buffer 
overrun attack. 

55. (Original) The system of claim 50, further comprising a modification 
component to modify at least one captured request prior to supplying the at least 
one request to access a resource. 

56. (Original) The system of claim 55, wherein the modification component takes 
input from a user. 

57. (Original) The system of claim 41 , further comprising an electronic file system 
which stores the at least one security rule, and the applier component accesses 
the security rule in the electronic file system in response to receiving at least one 
request to access a resource. 

58. (Currently Amended) The system of claim 4241, wherein the provider 
component provides at least one parameter to the reference monitor simulator 
which includes at least one of a system clock, a wrapper function, and a timer 
event. 

59. (Original) The system of claim 41 , further comprising: 

(E) a statistics component to maintain statistics on the operation of the 
reference monitor simulator. 

60. (Original) The system of claim 59, wherein the statistics component maintains 
statistics which include at least one of the number of requests per resource, 
number of total requests, type of request per resource, total of each type of 
request, number of queries, number of callbacks, number of requests allowed 
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compared to number of requests expected, and number of requests prevented 
compared to number of prevented requests expected. 

61. (Canceled) 

62. (Canceled) 

63. (Canceled) 

64. (Canceled) 

65. (Canceled) 

66. (Canceled) 

67. (Canceled) 

68. (Canceled) 

69. (Canceled) 

70. (Canceled) 

71 . (Canceled) 

72. (Canceled) 

73. (Canceled) 

74. (Canceled) 
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75. (Canceled) 

76. (Canceled) 

77. (Canceled) 

78. (Canceled) 

79. (Canceled) 

80. (Canceled) 

81 . (Currently Amended) A method of evaluating a security rule on a computer 
system, the method comprising: 

(A) applying, by a reference monitor simulator operable to recreate 
operations performed by a first reference monitor, a security rule in 
response to receiving a request to access a resource, the security rule 
defining whether to allow or prevent the request; 

(B) assessing the effectiveness of the security rule ; and 

(C) providing at Jeast o.^ environment 
in which the secu rity rule is applied, the at least one parameter 
includes a time parameter which defines the passage of time 
perceived by the computer system the passage of time indicated by 
the time parameter is faster than the actual passage of time. 

82. (Canceled) 



83. (Canceled) 
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85. (Currently Amended) The method of claim §481 , wherein the passage of time 
indicated by the time parameter enables the reference monitor simulator to 
execute in an accelerated manner. 

86. (Original) The method of claim 81 , wherein assessing the effectiveness of the 
security rule includes determining at least one of the number of improper access 
requests prevented and the number of proper access requests allowed. 

87. (Original) The method of claim 86, wherein assessing the effectiveness of the 
security rule includes determining a rate of improper requests prevented. 

88. (Original) The method of claim 81 , wherein (A) further comprises applying the 
security rule in response to receiving a request issued by an application program. 

89. (Original) The method of claim 88, wherein the request is captured. 

90. (Original) The method of claim 89, wherein the capture is performed by a 
second reference monitor. 

91 . (Original) The method of claim 90, wherein the second reference monitor is 
the same type of reference monitor as the first reference monitor whose 
operations are recreated by the reference monitor simulator. 

92. (Original) The method of claim 89, wherein the captured request is an 
improper request. 

93. (Original) The method of claim 92, wherein an improper request includes a 
request issued in response to one of a virus and a buffer overrun attack. 
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94. (Original) The method of claim 89, wherein the captured request is modified 
prior to applying the security rule. 

95. (Original) The method of claim 94, wherein the modification is performed by a 
user. 

96. (Currently Amended) The method of claim 8-2-81, wherein the at least one 
parameter includes at least one of a system clock, a wrapper function, and a 
timer event. 

97. (Original) The method of claim 81 , wherein (B) further comprises maintaining 
statistics on the application of the security rule. 

98. (Original) The method of claim 97, wherein the statistics include at least one 
of the number of requests per resource, number of total requests, type of request 
per resource, total of each type of request, number of queries, number of 
callbacks, number of requests allowed compared to number of requests 
expected, and number of requests prevented compared to number of prevented 
requests expected. 



